Tuesday, August 30, 2005

The Invasion of the Chinese Cyberspies





WHO'LL STOP THE RAIN: Shawn Carpenter at his Maryland home

The Invasion of the Chinese Cyberspies
(And the Man Who Tried to Stop Them)

An exclusive look at how the hackers called TITAN RAIN are stealing U.S. secrets
By NATHAN THORNBURGH
Monday, Aug. 29, 2005


It was another routine night for Shawn Carpenter. After a long day analyzing computer-network security for Sandia National Laboratories, where much of the U.S. nuclear arsenal is designed, Carpenter, 36, retreated to his ranch house in the hills overlooking Albuquerque, N.M., for a quick dinner and an early bedtime. He set his alarm for 2 a.m. Waking in the dark, he took a thermos of coffee and a pack of Nicorette gum to the cluster of computer terminals in his home office. As he had almost every night for the previous four months, he worked at his secret volunteer job until dawn, not as Shawn Carpenter, mid-level analyst, but as Spiderman--the apt nickname his military-intelligence handlers gave him--tirelessly pursuing a group of suspected Chinese cyberspies all over the world. Inside the machines, on a mission he believed the U.S. government supported, he clung unseen to the walls of their chat rooms and servers, secretly recording every move the snoopers made, passing the information to the Army and later to the FBI.

The hackers he was stalking, part of a cyberespionage ring that federal investigators code-named Titan Rain, first caught Carpenter's eye a year earlier when he helped investigate a network break-in at Lockheed Martin in September 2003. A strikingly similar attack hit Sandia several months later, but it wasn't until Carpenter compared notes with a counterpart in Army cyberintelligence that he suspected the scope of the threat. Methodical and voracious, these hackers wanted all the files they could find, and they were getting them by penetrating secure computer networks at the country's most sensitive military bases, defense contractors and aerospace companies.

Carpenter had never seen hackers work so quickly, with such a sense of purpose. They would commandeer a hidden section of a hard drive, zip up as many files as possible and immediately transmit the data to way stations in South Korea, Hong Kong or Taiwan before sending them to mainland China. They always made a silent escape, wiping their electronic fingerprints clean and leaving behind an almost undetectable beacon allowing them to re-enter the machine at will. An entire attack took 10 to 30 minutes. "Most hackers, if they actually get into a government network, get excited and make mistakes," says Carpenter. "Not these guys. They never hit a wrong key."

Goaded by curiosity and a sense that he could help the U.S. defend itself against a new breed of enemy, Carpenter gave chase to the attackers. He hopped just as stealthily from computer to computer across the globe, chasing the spies as they hijacked a web of far-flung computers. Eventually he followed the trail to its apparent end, in the southern Chinese province of Guangdong. He found that the attacks emanated from just three Chinese routers that acted as the first connection point from a local network to the Internet.

It was a stunning breakthrough. In the world of cyberspying, locating the attackers' country of origin is rare. China, in particular, is known for having poorly defended servers that outsiders from around the world commandeer as their unwitting launchpads. Now Chinese computers appeared to be the aggressors.

If so, the implications for U.S. security are disturbing. In recent years, the counterintelligence community has grown increasingly anxious that Chinese spies are poking into all sorts of American technology to compete with the U.S. But tracking virtual enemies presents a different kind of challenge to U.S. spy hunters. Foreign hackers invade a secure network with a flick of a wrist, but if the feds want to track them back and shut them down, they have to go through a cumbersome authorization process that can be as tough as sending covert agents into foreign lands. Adding in extreme sensitivity to anything involving possible Chinese espionage--remember the debacle over alleged Los Alamos spy Wen Ho Lee?--and the fear of igniting an international incident, it's not surprising the U.S. has found it difficult and delicate to crack these cases.

In Washington, officials are tight-lipped about Titan Rain, insisting all details of the case are classified. But high-level officials at three agencies told TIME the penetration is considered serious. A federal law-enforcement official familiar with the investigation says the FBI is "aggressively" pursuing the possibility that the Chinese government is behind the attacks. Yet they all caution that they don't yet know whether the spying is official, a private-sector job or the work of many independent, unrelated hands. The law-enforcement source says China has not been cooperating with U.S. investigations of Titan Rain. China's State Council Information Office, speaking for the government, told TIME the charges about cyberspying and Titan Rain are "totally groundless, irresponsible and unworthy of refute."

Despite the official U.S. silence, several government analysts who protect the networks at military, nuclear-lab and defense- contractor facilities tell TIME that Titan Rain is thought to rank among the most pervasive cyberespionage threats that U.S. computer networks have ever faced. TIME has obtained documents showing that since 2003, the hackers, eager to access American know-how, have compromised secure networks ranging from the Redstone Arsenal military base to NASA to the World Bank. In one case, the hackers stole flight-planning software from the Army. So far, the files they have vacuumed up are not classified secrets, but many are sensitive and subject to strict export-control laws, which means they are strategically important enough to require U.S. government licenses for foreign use.

Beyond worries about the sheer quantity of stolen data, a Department of Defense (DOD) alert obtained by TIME raises the concern that Titan Rain could be a point patrol for more serious assaults that could shut down or even take over a number of U.S. military networks. Although he would not comment on Titan Rain specifically, Pentagon spokesman Bryan Whitman says any attacks on military computers are a concern. "When we have breaches of our networks, it puts lives at stake," he says. "We take it very seriously."

As cyberspying metastasizes, frustrated network protectors say that the FBI in particular doesn't have enough top-notch computer gumshoes to track down the foreign rings and that their hands are often tied by the strict rules of engagement. That's where independents--some call them vigilantes--like Carpenter come in. After he made his first discoveries about Titan Rain in March 2004, he began taking the information to unofficial contacts he had in Army intelligence. Federal rules prohibit military-intelligence officers from working with U.S. civilians, however, and by October, the Army passed Carpenter and his late-night operation to the FBI. He says he was a confidential informant for the FBI for the next five months. Reports from his cybersurveillance eventually reached the highest levels of the bureau's counterintelligence division, which says his work was folded into an existing task force on the attacks. But his FBI connection didn't help when his employers at Sandia found out what he was doing. They fired him and stripped him of his Q clearance, the Department of Energy equivalent of top-secret clearance. Carpenter's after-hours sleuthing, they said, was an inappropriate use of confidential information he had gathered at his day job. Under U.S. law, it is illegal for Americans to hack into foreign computers.

Carpenter is speaking out about his case, he says, not just because he feels personally maligned--although he filed suit in New Mexico last week for defamation and wrongful termination. The FBI has acknowledged working with him: evidence collected by TIME shows that FBI agents repeatedly assured him he was providing important information to them. Less clear is whether he was sleuthing with the tacit consent of the government or operating as a rogue hacker. At the same time, the bureau was also investigating his actions before ultimately deciding not to prosecute him. The FBI would not tell TIME exactly what, if anything, it thought Carpenter had done wrong. Federal cyberintelligence agents use information from freelance sources like Carpenter at times but are also extremely leery about doing so, afraid that the independent trackers may jeopardize investigations by trailing foes too noisily or, even worse, may be bad guys themselves. When Carpenter deputized himself to delve into the Titan Rain group, he put his career in jeopardy. But he remains defiant, saying he's a whistle-blower whose case demonstrates the need for reforms that would enable the U.S. to respond more effectively and forcefully against the gathering storm of cyberthreats.

A TIME investigation into the case reveals how the Titan Rain attacks were uncovered, why they are considered a significant threat now under investigation by the Pentagon, the FBI and the Department of Homeland Security and why the U.S. government has yet to stop them.

Carpenter thought he was making progress. When he uncovered the Titan Rain routers in Guangdong, he carefully installed a homemade bugging code in the primary router's software. It sent him an e-mail alert at an anonymous Yahoo! account every time the gang made a move on the Net. Within two weeks, his Yahoo! account was filled with almost 23,000 messages, one for each connection the Titan Rain router made in its quest for files. He estimates there were six to 10 workstations behind each of the three routers, staffed around the clock. The gang stashed its stolen files in zombie servers in South Korea, for example, before sending them back to Guangdong. In one, Carpenter found a stockpile of aerospace documents with hundreds of detailed schematics about propulsion systems, solar paneling and fuel tanks for the Mars Reconnaissance Orbiter, the NASA probe launched in August. On the night he woke at 2, Carpenter copied a huge collection of files that had been stolen from Redstone Arsenal, home to the Army Aviation and Missile Command. The attackers had grabbed specs for the aviation-mission-planning system for Army helicopters, as well as Falconview 3.2, the flight-planning software used by the Army and Air Force.

Even if official Washington is not certain, Carpenter and other network-security analysts believe that the attacks are Chinese government spying. "It's a hard thing to prove," says a network-intrusion-detection analyst at a major U.S. defense contractor who has been studying Titan Rain since 2003, "but this has been going on so long and it's so well organized that the whole thing is state sponsored, I think." When it comes to advancing their military by stealing data, "the Chinese are more aggressive" than anyone else, David Szady, head of the FBI's counterintelligence unit, told TIME earlier this year. "If they can steal it and do it in five years, why [take longer] to develop it?"

Within the U.S. military, Titan Rain is raising alarms. A November 2003 government alert obtained by TIME details what a source close to the investigation says was an early indication of Titan Rain's ability to cause widespread havoc. Hundreds of Defense Department computer systems had been penetrated by an insidious program known as a "trojan," the alert warned. "These compromises ... allow an unknown adversary not only control over the DOD hosts, but also the capability to use the DOD hosts in malicious activity. The potential also exists for the perpetrator to potentially shut down each host." The attacks were also stinging allies, including Britain, Canada, Australia and New Zealand, where an unprecedented string of public alerts issued in June 2005, two U.S. network-intrusion analysts tell TIME, also referred to Titan Rain--related activity. "These electronic attacks have been under way for a significant period of time, with a recent increase in sophistication," warned Britain's National Infrastructure Security Co-Ordination Center.

Titan Rain presents a severe test for the patchwork of agencies digging into the problem. Both the cybercrime and counterintelligence divisions of the FBI are investigating, the law-enforcement source tells TIME. But while the FBI has a solid track record cajoling foreign governments into cooperating in catching garden-variety hackers, the source says that China is not cooperating with the U.S. on Titan Rain. The FBI would need high-level diplomatic and Department of Justice authorization to do what Carpenter did in sneaking into foreign computers. The military would have more flexibility in hacking back against the Chinese, says a former high-ranking Administration official, under a protocol called "preparation of the battlefield." But if any U.S. agency got caught, it could spark an international incident.

That's why Carpenter felt he could be useful to the FBI. Frustrated in gathering cyberinfo, some agencies have in the past turned a blind eye to free-lancers--or even encouraged them--to do the job. After he hooked up with the FBI, Carpenter was assured by the agents assigned to him that he had done important and justified work in tracking Titan Rain attackers. Within a couple of weeks, FBI agents asked him to stop sleuthing while they got more authorization, but they still showered him with praise over the next four months as he fed them technical analyses of what he had found earlier. "This could very well impact national security at the highest levels," Albuquerque field agent Christine Paz told him during one of their many information-gathering sessions in Carpenter's home. His other main FBI contact, special agent David Raymond, chimed in: "You're very important to us," Raymond said. "I've got eight open cases throughout the United States that your information is going to. And that's a lot." And in a letter obtained by TIME, the FBI's Szady responded to a Senate investigator's inquiry about Carpenter, saying, "The [FBI] is aggressively pursuing the investigative leads provided by Mr. Carpenter."

Given such assurances, Carpenter was surprised when, in March 2005, his FBI handlers stopped communicating with him altogether. Now the federal law-enforcement source tells TIME that the bureau was actually investigating Carpenter while it was working with him. Agents are supposed to check out their informants, and intruding into foreign computers is illegal, regardless of intent. But two sources familiar with Carpenter's story say there is a gray area in cybersecurity, and Carpenter apparently felt he had been unofficially encouraged by the military and, at least initially, by the FBI. Although the U.S. Attorney declined to pursue charges against him, Carpenter feels betrayed. "It's just ridiculous. I was tracking real bad guys," he says. "But they are so afraid of taking risks that they wasted all this time investigating me instead of going after Titan Rain." Worse, he adds, they never asked for the passwords and other tools that could enable them to pick up the investigative trail at the Guangdong router.

Carpenter was even more dismayed to find that his work with the FBI had got him in trouble at Sandia. He says that when he first started tracking Titan Rain to chase down Sandia's attackers, he told his superiors that he thought he should share his findings with the Army, since it had been repeatedly hit by Titan Rain as well. A March 2004 Sandia memo that Carpenter gave TIME shows that he and his colleagues had been told to think like "World Class Hackers" and to retrieve tools that other attackers had used against Sandia. That's why Carpenter did not expect the answer he claims he got from his bosses in response to Titan Rain: Not only should he not be trailing Titan Rain but he was also expressly forbidden to share what he had learned with anyone.

As a Navy veteran whose wife is a major in the Army Reserve, Carpenter felt he could not accept that injunction. After several weeks of angry meetings--including one in which Carpenter says Sandia counterintelligence chief Bruce Held fumed that Carpenter should have been "decapitated" or "at least left my office bloody" for having disobeyed his bosses--he was fired. Citing Carpenter's civil lawsuit, Sandia was reluctant to discuss specifics but responded to TIME with a statement: "Sandia does its work in the national interest lawfully. When people step beyond clear boundaries in a national security setting, there are consequences."

Carpenter says he has honored the FBI's request to stop following the attackers. But he can't get Titan Rain out of his mind. Although he was recently hired as a network-security analyst for another federal contractor and his security clearance has been restored, "I'm not sleeping well," he says. "I know the Titan Rain group is out there working, now more than ever."

--With reporting by Matthew Forney/Beijing and Brian Bennett, Timothy J. Burger and Elaine Shannon/Washington

3 Comments:

Blogger Steve Austin said...

I like your blog. Check out my bankruptcy or debt settlement blog.

12:40 PM  
Blogger Jeff james said...

Hello, nice stuff on your site. I need to spend more time on my site about VOIP and other evectis.com mesh voip wireless stuff. Thanks for some ideas.

8:17 AM  
Anonymous Anonymous said...

Hey... Interesting post on buster voip. By the way... Just found this resource where you can post your own articles on buster voip - if you have something you want to share with the world. Besides, at the same time you'll get a link back to your own site on anything concerning buster voip - or whatever else you'd like... why don't you check it out for yourself now...

3:21 PM  

Post a Comment

<< Home